I would appreciate any donations. Wishlist or send e-mail type donations to maekawa AT daemon-systems.org.

Thank you.

GSS_ACQUIRE_CRED(3) Library Functions Manual GSS_ACQUIRE_CRED(3)
NAMEgss_accept_sec_context, gss_acquire_cred, gss_add_cred,
gss_add_oid_set_member, gss_canonicalize_name, gss_compare_name,
gss_context_time, gss_create_empty_oid_set, gss_delete_sec_context,
gss_display_name, gss_display_status, gss_duplicate_name,
gss_export_name, gss_export_sec_context, gss_get_mic, gss_import_name,
gss_import_sec_context, gss_indicate_mechs, gss_init_sec_context,
gss_inquire_context, gss_inquire_cred, gss_inquire_cred_by_mech,
gss_inquire_mechs_for_name, gss_inquire_names_for_mech,
gss_krb5_ccache_name, gss_krb5_compat_des3_mic, gss_krb5_copy_ccache,
gss_krb5_import_credgsskrb5_extract_authz_data_from_sec_context,
gsskrb5_register_acceptor_identity, gss_krb5_import_ccache,
gss_krb5_get_tkt_flags, gss_process_context_token, gss_release_buffer,
gss_release_cred, gss_release_name, gss_release_oid_set, gss_seal,
gss_sign, gss_test_oid_set_member, gss_unseal, gss_unwrap, gss_verify,
gss_verify_mic, gss_wrap, gss_wrap_size_limit -- Generic Security Service
Application Program Interface library
LIBRARY
GSS-API library (libgssapi, -lgssapi)
SYNOPSIS#include<gssapi/gssapi.h>OM_uint32gss_accept_sec_context(OM_uint32*minor_status,
gss_ctx_id_t*context_handle,
gss_const_cred_id_tacceptor_cred_handle,
constgss_buffer_tinput_token_buffer,
constgss_channel_bindings_tinput_chan_bindings,
gss_name_t*src_name, gss_OID*mech_type,
gss_buffer_toutput_token, OM_uint32*ret_flags,
OM_uint32*time_rec, gss_cred_id_t*delegated_cred_handle);
OM_uint32gss_acquire_cred(OM_uint32*minor_status, gss_const_name_tdesired_name,
OM_uint32time_req, constgss_OID_setdesired_mechs,
gss_cred_usage_tcred_usage, gss_cred_id_t*output_cred_handle,
gss_OID_set*actual_mechs, OM_uint32*time_rec);
OM_uint32gss_add_cred(OM_uint32*minor_status,
gss_const_cred_id_tinput_cred_handle, gss_const_name_tdesired_name,
constgss_OIDdesired_mech, gss_cred_usage_tcred_usage,
OM_uint32initiator_time_req, OM_uint32acceptor_time_req,
gss_cred_id_t*output_cred_handle, gss_OID_set*actual_mechs,
OM_uint32*initiator_time_rec, OM_uint32*acceptor_time_rec);
OM_uint32gss_add_oid_set_member(OM_uint32*minor_status,
constgss_OIDmember_oid, gss_OID_set*oid_set);
OM_uint32gss_canonicalize_name(OM_uint32*minor_status,
gss_const_name_tinput_name, constgss_OIDmech_type,
gss_name_t*output_name);
OM_uint32gss_compare_name(OM_uint32*minor_status, gss_const_name_tname1,
gss_const_name_tname2, int*name_equal);
OM_uint32gss_context_time(OM_uint32*minor_status,
gss_const_ctx_id_tcontext_handle, OM_uint32*time_rec);
OM_uint32gss_create_empty_oid_set(OM_uint32*minor_status,
gss_OID_set*oid_set);
OM_uint32gss_delete_sec_context(OM_uint32*minor_status,
gss_ctx_id_t*context_handle, gss_buffer_toutput_token);
OM_uint32gss_display_name(OM_uint32*minor_status, gss_const_name_tinput_name,
gss_buffer_toutput_name_buffer, gss_OID*output_name_type);
OM_uint32gss_display_status(OM_uint32*minor_status, OM_uint32status_value,
intstatus_type, constgss_OIDmech_type, OM_uint32*message_context,
gss_buffer_tstatus_string);
OM_uint32gss_duplicate_name(OM_uint32*minor_status, gss_const_name_tsrc_name,
gss_name_t*dest_name);
OM_uint32gss_export_name(OM_uint32*minor_status, gss_const_name_tinput_name,
gss_buffer_texported_name);
OM_uint32gss_export_sec_context(OM_uint32*minor_status,
gss_ctx_id_t*context_handle, gss_buffer_tinterprocess_token);
OM_uint32gss_get_mic(OM_uint32*minor_status, gss_const_ctx_id_tcontext_handle,
gss_qop_tqop_req, constgss_buffer_tmessage_buffer,
gss_buffer_tmessage_token);
OM_uint32gss_import_name(OM_uint32*minor_status,
constgss_buffer_tinput_name_buffer, constgss_OIDinput_name_type,
gss_name_t*output_name);
OM_uint32gss_import_sec_context(OM_uint32*minor_status,
constgss_buffer_tinterprocess_token,
gss_ctx_id_t*context_handle);
OM_uint32gss_indicate_mechs(OM_uint32*minor_status, gss_OID_set*mech_set);
OM_uint32gss_init_sec_context(OM_uint32*minor_status,
gss_const_cred_id_tinitiator_cred_handle,
gss_ctx_id_t*context_handle, gss_const_name_ttarget_name,
constgss_OIDmech_type, OM_uint32req_flags, OM_uint32time_req,
constgss_channel_bindings_tinput_chan_bindings,
constgss_buffer_tinput_token, gss_OID*actual_mech_type,
gss_buffer_toutput_token, OM_uint32*ret_flags,
OM_uint32*time_rec);
OM_uint32gss_inquire_context(OM_uint32*minor_status,
gss_const_ctx_id_tcontext_handle, gss_name_t*src_name,
gss_name_t*targ_name, OM_uint32*lifetime_rec,
gss_OID*mech_type, OM_uint32*ctx_flags, int*locally_initiated,
int*open_context);
OM_uint32gss_inquire_cred(OM_uint32*minor_status,
gss_const_cred_id_tcred_handle, gss_name_t*name,
OM_uint32*lifetime, gss_cred_usage_t*cred_usage,
gss_OID_set*mechanisms);
OM_uint32gss_inquire_cred_by_mech(OM_uint32*minor_status,
gss_const_cred_id_tcred_handle, constgss_OIDmech_type,
gss_name_t*name, OM_uint32*initiator_lifetime,
OM_uint32*acceptor_lifetime, gss_cred_usage_t*cred_usage);
OM_uint32gss_inquire_mechs_for_name(OM_uint32*minor_status,
gss_const_name_tinput_name, gss_OID_set*mech_types);
OM_uint32gss_inquire_names_for_mech(OM_uint32*minor_status,
constgss_OIDmechanism, gss_OID_set*name_types);
OM_uint32gss_krb5_ccache_name(OM_uint32*minor, constchar*name,
constchar**old_name);
OM_uint32gss_krb5_copy_ccache(OM_uint32*minor, gss_cred_id_tcred,
krb5_ccacheout);
OM_uint32gss_krb5_import_cred(OM_uint32*minor_status, krb5_ccacheid,
krb5_principalkeytab_principal, krb5_keytabkeytab,
gss_cred_id_t*cred);
OM_uint32gss_krb5_compat_des3_mic(OM_uint32*minor_status,
gss_ctx_id_tcontext_handle, intonoff);
OM_uint32gsskrb5_extract_authz_data_from_sec_context(OM_uint32*minor_status,
gss_ctx_id_tcontext_handle, intad_type, gss_buffer_tad_data);
OM_uint32gsskrb5_register_acceptor_identity(constchar*identity);
OM_uint32gss_krb5_import_cache(OM_uint32*minor, krb5_ccacheid,
krb5_keytabkeytab, gss_cred_id_t*cred);
OM_uint32gss_krb5_get_tkt_flags(OM_uint32*minor_status,
gss_ctx_id_tcontext_handle, OM_uint32*tkt_flags);
OM_uint32gss_process_context_token(OM_uint32*minor_status,
gss_const_ctx_id_tcontext_handle, constgss_buffer_ttoken_buffer);
OM_uint32gss_release_buffer(OM_uint32*minor_status, gss_buffer_tbuffer);
OM_uint32gss_release_cred(OM_uint32*minor_status, gss_cred_id_t*cred_handle);
OM_uint32gss_release_name(OM_uint32*minor_status, gss_name_t*input_name);
OM_uint32gss_release_oid_set(OM_uint32*minor_status, gss_OID_set*set);
OM_uint32gss_seal(OM_uint32*minor_status, gss_ctx_id_tcontext_handle,
intconf_req_flag, intqop_req, gss_buffer_tinput_message_buffer,
int*conf_state, gss_buffer_toutput_message_buffer);
OM_uint32gss_sign(OM_uint32*minor_status, gss_ctx_id_tcontext_handle,
intqop_req, gss_buffer_tmessage_buffer,
gss_buffer_tmessage_token);
OM_uint32gss_test_oid_set_member(OM_uint32*minor_status, constgss_OIDmember,
constgss_OID_setset, int*present);
OM_uint32gss_unseal(OM_uint32*minor_status, gss_ctx_id_tcontext_handle,
gss_buffer_tinput_message_buffer,
gss_buffer_toutput_message_buffer, int*conf_state,
int*qop_state);
OM_uint32gss_unwrap(OM_uint32*minor_status, gss_const_ctx_id_tcontext_handle,
constgss_buffer_tinput_message_buffer,
gss_buffer_toutput_message_buffer, int*conf_state,
gss_qop_t*qop_state);
OM_uint32gss_verify(OM_uint32*minor_status, gss_ctx_id_tcontext_handle,
gss_buffer_tmessage_buffer, gss_buffer_ttoken_buffer,
int*qop_state);
OM_uint32gss_verify_mic(OM_uint32*minor_status,
gss_const_ctx_id_tcontext_handle, constgss_buffer_tmessage_buffer,
constgss_buffer_ttoken_buffer, gss_qop_t*qop_state);
OM_uint32gss_wrap(OM_uint32*minor_status, gss_const_ctx_id_tcontext_handle,
intconf_req_flag, gss_qop_tqop_req,
constgss_buffer_tinput_message_buffer, int*conf_state,
gss_buffer_toutput_message_buffer);
OM_uint32gss_wrap_size_limit(OM_uint32*minor_status,
gss_const_ctx_id_tcontext_handle, intconf_req_flag,
gss_qop_tqop_req, OM_uint32req_output_size,
OM_uint32*max_input_size);
DESCRIPTION
Generic Security Service API (GSS-API) version 2, and its C binding, is
described in RFC2743 and RFC2744. Version 1 (deprecated) of the C
binding is described in RFC1509.
Heimdals GSS-API implementation supports the following mechanisms
o GSS_KRB5_MECHANISM
o GSS_SPNEGO_MECHANISM
GSS-API have generic name types that all mechanism are supposed to
implement (if possible):
o GSS_C_NT_USER_NAME
o GSS_C_NT_MACHINE_UID_NAME
o GSS_C_NT_STRING_UID_NAME
o GSS_C_NT_HOSTBASED_SERVICE
o GSS_C_NT_ANONYMOUS
o GSS_C_NT_EXPORT_NAME
GSS-API implementations that supports Kerberos 5 have some additional
name types:
o GSS_KRB5_NT_PRINCIPAL_NAME
o GSS_KRB5_NT_USER_NAME
o GSS_KRB5_NT_MACHINE_UID_NAME
o GSS_KRB5_NT_STRING_UID_NAME
In GSS-API, names have two forms, internal names and contiguous string
names.
o Internal name and mechanism name
Internal names are implementation specific representation of a GSS-
API name. Mechanism names special form of internal names corresponds
to one and only one mechanism.
In GSS-API an internal name is stored in a gss_name_t.
o Contiguous string name and exported name
Contiguous string names are gssapi names stored in a OCTET STRING
that together with a name type identifier (OID) uniquely specifies a
gss-name. A special form of the contiguous string name is the
exported name that have a OID embedded in the string to make it
unique. Exported name have the nametype GSS_C_NT_EXPORT_NAME.
In GSS-API an contiguous string name is stored in a gss_buffer_t.
Exported names also have the property that they are specified by the
mechanism itself and compatible between different GSS-API
implementations.
ACCESSCONTROL
There are two ways of comparing GSS-API names, either comparing two
internal names with each other or two contiguous string names with either
other.
To compare two internal names with each other, import (if needed) the
names with gss_import_name() into the GSS-API implementation and the
compare the imported name with gss_compare_name().
Importing names can be slow, so when its possible to store exported names
in the access control list, comparing contiguous string name might be
better.
when comparing contiguous string name, first export them into a
GSS_C_NT_EXPORT_NAME name with gss_export_name() and then compare with
memcmp(3).
Note that there are might be a difference between the two methods of
comparing names. The first (using gss_compare_name()) will compare to
(unauthenticated) names are the same. The second will compare if a
mechanism will authenticate them as the same principal.
For example, if gss_import_name() name was used with GSS_C_NO_OID the
default syntax is used for all mechanism the GSS-API implementation
supports. When compare the imported name of GSS_C_NO_OID it may match
several mechanism names (MN).
The resulting name from gss_display_name() must not be used for acccess
control.
FUNCTIONSgss_display_name() takes the gss name in input_name and puts a printable
form in output_name_buffer. output_name_buffer should be freed when done
using gss_release_buffer(). output_name_type can either be NULL or a
pointer to a gss_OID and will in the latter case contain the OID type of
the name. The name must only be used for printing. If access control is
needed, see section ACCESSCONTROL.
gss_inquire_context() returns information about the context. Information
is available even after the context have expired. lifetime_rec argument
is set to GSS_C_INDEFINITE (don't expire) or the number of seconds that
the context is still valid. A value of 0 means that the context is
expired. mech_type argument should be considered readonly and must not
be released. src_name and dest_name() are both mechanims names and must
be released with gss_release_name() when no longer used.
gss_context_time will return the amount of time (in seconds) of the
context is still valid. If its expired time_rec will be set to 0 and
GSS_S_CONTEXT_EXPIRED returned.
gss_sign(), gss_verify(), gss_seal(), and gss_unseal() are part of the
GSS-API V1 interface and are obsolete. The functions should not be used
for new applications. They are provided so that version 1 applications
can link against the library.
EXTENSIONSgss_krb5_ccache_name() sets the internal kerberos 5 credential cache name
to name. The old name is returned in old_name, and must not be freed.
The data allocated for old_name is free upon next call to
gss_krb5_ccache_name(). This function is not threadsafe if old_name
argument is used.
gss_krb5_copy_ccache() will extract the krb5 credentials that are
transferred from the initiator to the acceptor when using token
delegation in the Kerberos mechanism. The acceptor receives the
delegated token in the last argument to gss_accept_sec_context().
gss_krb5_import_cred() will import the krb5 credentials (both keytab
and/or credential cache) into gss credential so it can be used withing
GSS-API. The ccache is copied by reference and thus shared, so if the
credential is destroyed with krb5_cc_destroy, all users of thep
gss_cred_id_t returned by gss_krb5_import_ccache() will fail.
gsskrb5_register_acceptor_identity() sets the Kerberos 5 filebased keytab
that the acceptor will use. The identifier is the file name.
gsskrb5_extract_authz_data_from_sec_context() extracts the Kerberos
authorizationdata that may be stored within the context. Tha caller must
free the returned buffer ad_data with gss_release_buffer() upon success.
gss_krb5_get_tkt_flags() return the ticket flags for the kerberos ticket
receive when authenticating the initiator. Only valid on the acceptor
context.
gss_krb5_compat_des3_mic() turns on or off the compatibility with older
version of Heimdal using des3 get and verify mic, this is way to
programmatically set the [gssapi]broken_des3_mic and
[gssapi]correct_des3_mic flags (see COMPATIBILITY section in gssapi(3)).
If the CPP symbol GSS_C_KRB5_COMPAT_DES3_MIC is present,
gss_krb5_compat_des3_mic() exists. gss_krb5_compat_des3_mic() will be
removed in a later version of the GSS-API library.
SEEALSOgssapi(3), krb5(3), krb5_ccache(3), kerberos(8)
NetBSD 7.1.2 October 26, 2005 NetBSD 7.1.2